Skip to content

chore(deps): bump reqwest from 0.12.28 to 0.13.4#147

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/reqwest-0.13.4
Closed

chore(deps): bump reqwest from 0.12.28 to 0.13.4#147
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/reqwest-0.13.4

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 29, 2026
edited
Loading

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

Bumps reqwest from 0.12.28 to 0.13.4.

Release notes

Sourced from reqwest's releases.

v0.13.4

tl;dr

  • Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
  • Add ClientBuilder::http2_keep_alive_* options for the blocking client.
  • Add TLS 1.3 support when using native-tls backend.
  • Fix redirect handling to strip sensitive headers when the scheme changes.
  • Fix HTTP/3 happy-eyeball connection creation.
  • Upgrade hickory-resolver to 0.26.

What's Changed

New Contributors

Full Changelog: seanmonstar/reqwest@v0.13.3...v0.13.4

v0.13.3

tl;dr

  • Fix CertificateRevocationList parsing of PEM values.
  • Fix logging in resolver to only show host, not full URL.
  • Fix hickory-dns to fallback to a default if /etc/resolv.conf fails.
  • Fix HTTP/3 to handle STOP_SENDING as not an error.
  • Fix HTTP/3 pool to remove timed out QUIC connections.
  • Fix HTTP/3 connection establishment picking IPv4 and IPv6.
  • Upgrade rustls-platform-verifier.
  • (wasm) Only use wasm-bindgen on unknown-* targets.

What's Changed

... (truncated)

Changelog

Sourced from reqwest's changelog.

v0.13.4

  • Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
  • Add ClientBuilder::http2_keep_alive_* options for the blocking client.
  • Add TLS 1.3 support when using native-tls backend.
  • Fix redirect handling to strip sensitive headers when the scheme changes.
  • Fix HTTP/3 happy-eyeball connection creation.
  • Upgrade hickory-resolver to 0.26.

v0.13.3

  • Fix CertificateRevocationList parsing of PEM values.
  • Fix logging in resolver to only show host, not full URL.
  • Fix hickory-dns to fallback to a default if /etc/resolv.conf fails.
  • Fix HTTP/3 to handle STOP_SENDING as not an error.
  • Fix HTTP/3 pool to remove timed out QUIC connections.
  • Fix HTTP/3 connection establishment picking IPv4 and IPv6.
  • Upgrade rustls-platform-verifier.
  • (wasm) Only use wasm-bindgen on unknown-* targets.

v0.13.2

  • Fix HTTP/2 and native-tls ALPN feature combinations.
  • Fix HTTP/3 to send h3 ALPN.
  • (wasm) fix RequestBuilder::json() from override previously set content-type.

v0.13.1

  • Fixes compiling with rustls on Android targets.

v0.13.0

  • Breaking changes:
    • rustls is now the default TLS backend, instead of native-tls.
    • rustls crypto provider defaults to aws-lc instead of ring. (rustls-no-provider exists if you want a different crypto provider)
    • rustls-tls has been renamed to rustls.
    • rustls roots features removed, rustls-platform-verifier is used by default.
      • To use different roots, call tls_certs_only(your_roots).
    • native-tls now includes ALPN. To disable, use native-tls-no-alpn.
    • query and form are now crate features, disabled by default.
    • Long-deprecated methods and crate features have been removed (such as trust-dns, which was renamed hickory-dns a while ago).
  • Many TLS-related methods renamed to improve autocompletion and discovery, but previous name left in place with a "soft" deprecation. (just documented, no warnings)
    • For example, prefer tls_backend_rustls() over use_rustls_tls().
Commits
  • 11489b3 v0.13.4
  • d31ffbb feat: Expose HTTP2 keep alive configurations in blocking client (#3043)
  • 79ed0d7 feat: support TLS 1.3 as min version under native-tls 🎉 (#2975)
  • fb7bf6a fix: remove unwrap in hickory initialization (#3041)
  • 3da616f fix: update hickory-resolver to 0.26 and adjust code accordingly (#3040)
  • c77e7b2 fix(http3): use happy eyeballs for h3 connect (#3030)
  • 9cbb65b chore: clean up minimal-versions CI job (#3039)
  • 17a7dc5 chore: upgrade MSRV to 1.85 (#3038)
  • 03db63a fix(redirect): strip sensitive headers on scheme change across redirects (#3034)
  • 4b813a8 feat: add tls_sslkeylogfile builder method (#2923)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump reqwest from 0.12.28 to 0.13.4
ead04e1 
Bumps [reqwest](https://github.com/seanmonstar/reqwest) from 0.12.28 to 0.13.4.
- [Release notes](https://github.com/seanmonstar/reqwest/releases)
- [Changelog](https://github.com/seanmonstar/reqwest/blob/master/CHANGELOG.md)
- [Commits](seanmonstar/reqwest@v0.12.28...v0.13.4)

---
updated-dependencies:
- dependency-name: reqwest
  dependency-version: 0.13.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels May 29, 2026
@hyperpolymath hyperpolymath mentioned this pull request May 30, 2026
Merged
3 tasks
@hyperpolymath
Copy link
Copy Markdown
Owner

hyperpolymath commented May 30, 2026

Closing as superseded by ambientops#153 (estate dependabot policy conformance, standards#301). The canonical ignore: dependency-name "*" semver-major rule now in main blocks unattended major bumps. This dependabot bump needs a paired call-site update — file an author-supplied PR if/when the migration is done.

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 30, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/cargo/reqwest-0.13.4 branch May 30, 2026 18:52
hyperpolymath added a commit that referenced this pull request May 30, 2026
@hyperpolymath
chore(deps): apply estate dependabot policy — ignore semver-major (st…
5b40aba 
…andards#301) (#153)

## Summary

- Adds the canonical estate `ignore: dependency-name "*"
version-update:semver-major` block to each non-github-actions ecosystem
entry in `.github/dependabot.yml`
- 9 entries get the ignore (5 cargo: root + czech-file-knife + panoptes
+ personal-sysadmin + displace; mix; npm; pip; nix). github-actions is
left as-is per estate doc — SHA pins make action majors safe.
- Brings ambientops into conformance with standards#301 /
docs/DEPENDABOT-POLICY.adoc

## Context

Per the 2026-05-29 echidna incident (#120-#124 broke main for ~24h),
unattended dependabot semver-major merges fly through the estate
validation gates (K9 / A2ML / language-policy) but break the actual
compile gates on subsequent pushes. Estate policy now: majors land via
author-supplied PRs paired with call-site updates.

This PR closes 7 risky in-flight dependabot PRs as superseded:

- #147 reqwest 0.12.28→0.13.4 (0.x minor breaking)
- #145 config 0.14.1→0.15.23 (0.x minor breaking, multi-version)
- #144 symphonia 0.5.5→0.6.0 (0.x minor breaking)
- #146 thiserror 1.0.69→2.0.18 (major)
- #142 colored 2.2.0→3.1.1 (major)
- #136 rusqlite 0.31.0→0.40.0 (0.x huge jump)
- #135 nix 0.30.1→0.31.3 (0.x minor breaking)

Each needs a paired code-side migration that hasn't been done; this PR
parks them safely via the canonical policy.

## Test plan

- [ ] dependabot config check passes (YAML valid)
- [ ] CI green (existing gates)
- [ ] After merge, dependabot does not re-file the 7 closed PRs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath